Going Social: Guidance for FileNet Content Manager users integrating with IBM Connections

White paper


Abstract

IBM FileNet Content Manager 5.2 and IBM Connections 4.5 build on IBM's past releases to integrate FileNet repositories directly into the Connections community user experience as native components. The integration can be established in brand-new installs, such as those provided by Connections Content Manager; by adding a new IBM Connections system to an existing FileNet deployment; by adding a new FileNet repository to an existing IBM Connections deployment; or by integrating existing but uncoupled FileNet and Connections deployments.
This document focuses on the scenarios involving an existing enterprise FileNet deployment and aims to provide guidance on how to plan the deployment and build on it with future releases. In general, detailed procedural deployment and configuration instructions are outside the scope of this document. For such information, see the primary production documentation.

Content

Going Social: Guidance for FileNet Content Manager users integrating with IBM Connections

Table of Contents
Introduction
Software component and deployment overview
Prerequisites
User directories and security

Managing object stores Operational planning for additional new features Other ECM Applications Other considerations Deployment recommendations
Appendices

Introduction
IBM FileNet Content Manager 5.2 and IBM Connections 4.5 build on IBM's past releases to integrate FileNet repositories directly into the Connections community user experience as native components. The integration can be established in brand-new installs, such as those provided by Connections Content Manager; by adding a new IBM Connections system to an existing FileNet deployment; by adding a new FileNet repository to an existing IBM Connections deployment; or by integrating existing but uncoupled FileNet and Connections deployments.

Prerequisites, such as the use of WebSphere Virtual Membership Manager (VMM) as the FileNet domain LDAP directory provider, are required to enable the full integration experience. Each of the deployment scenarios above require some level of planning to minimize future operational changes.

This document focuses on the scenarios involving an existing enterprise FileNet deployment and aims to provide guidance on how to plan the deployment and build on it with future releases. It focuses on the ECM components. For details on configuration within Connections, see this topic.

Software component and deployment overview
Social collaboration and content management can be purchased and licensed through several different product offerings, including Connections Content Manager (CCM), Connections Enterprise Content Edition (CECE) and FileNet Social Content Manager. The offerings provide different levels of enterprise content management (ECM) functionality and, thus, some ECM components are not available in all offerings. However, the components that provide a particular function are the same across all offerings.


    • IBM FileNet Content Manager: provides the enterprise content management platform and repository. The server element is Content Platform Engine (CPE).
    • IBM Connections: provides the social collaboration platform and user interface
    • IBM Content Navigator: IBM ECM user client application. Not included with CCM.
    • IBM FileNet Collaboration Services (FNCS): provides the REST service interface to CPE

    The following diagram depicts the high-level component architecture of the integration between CPE and Connections. It does not include other ECM clients such as ICN or other Connections components such as Wikis and Profiles.


    Prerequisites
    The following prerequisites must be in place before an existing FileNet deployment can be integrated with IBM Connections. Later sections will discuss these prerequisites further, including best practices for planning and execution. The IBM Info Center documentation for the respective products contains detailed execution instructions.

    1. Upgrade IBM FileNet Content Manager to release 5.2 and the most recent fixpack available (currently FP2).

    2. If IBM FileNet Services for Lotus Quickr is installed, upgrade it to IBM FileNet Collaboration Services 2.0 and the most recent fixpack available (currently FP1). If IBM FileNet Services for Lotus Quickr is not present, install IBM FileNet Collaboration Services 2.0 FP1.

    3. Install IBM Connections 4.5 and the most recent fixpack available (currently CR1).

    4. The P8 domain used by Connections must use the new Connections LDAP provide configured for Connection integration. This can be a new domain, or can involve migrating an existing domain along with its object stores. Certain social features are available using linked libraries with other LDAP providers, as will be described later.

    User directories and security
    Several of the prerequisites and configuration requirements are driven by the need to share and synchronize information about users and groups while simultaneously enforcing rigorous security within both IBM FileNet Content Manager and IBM Connections.

    LDAP, WebSphere Virtual Membership Manager and Connections
    Virtual Membership Manager, or VMM, is a part of WebSphere Application Server and provides lightweight LDAP proxy and federation services. IBM Connections uses VMM exclusively as its interface to the LDAP directory.

    IBM FileNet Content Manager 5.2 adds a new Connections directory provider option, which integrates user and group information from VMM, with community group membership information from IBM Connections. This configuration is required for use with IBM Connections communities.

    Since existing Content Manager environments are not configured to use the new Connections security provider, a directory migration operation must be performed on these environments before they can be used as the basis for creating a new Connections community. The reasons for this issue are discussed further in the “Security IDs” section of this article.

    A directory migration is a significant project that typically involves a lab services engagement. The procedure and scope depends on specifics of the deployment in question, including the original directory configuration and amount and type of content to be migrated.

    It is important to note that, when using the Connections directory provider, CPE acts as a client and Connections as the server, as CPE must call out to Connections to get community membership information when computing LDAP group membership for users when authorizing requests. This channel uses a HTTP REST protocol. It inverts the typical topology where Connections, via FileNet Collaboration Services, is the client, and may require special planning or network changes in some environments.

    Note that the Connections provider method has changed in CPE 5.2 FP1. In 5.2, you use the "VMM" directory provider option and set the mandatory WebSphere JVM argument "ibm.filenet.security.vmmProvider.waltzImpl=true". In FP1, you use the "Connections" directory provider; no JVM argument is necessary.

    Security permissions

    The IBM Connections community model has stringent requirements for permissions on community content.

    • In a public community, all users, including unauthenticated users, have read access to all community content.

    • In a private community, only community members have any access to community content regardless of user rights elsewhere in the object store.

    • When a community is created, Connections establishes a set of Role objects for the community. In any community, members have only those rights granted to the roles to which they belong .

    • In any community, all members always have at least read access to all content (except for drafts and documents under review, as noted below). Community read access can only be overridden using a native ECM client application, not through IBM Connections.

    • If document approval is enabled in a community, then only the draft owner, community owners, and draft approvers have any access to a draft under review. In other words, only fully approved document versions are visible to community members or the public.

    • Community owners have full control over all community content.

    • Additional restrictions apply to certain objects associated with community content. For example, a document owner can delete another user's comment on the document, but only the comment creator or a community owner can edit the comment.

    In a FileNet object store, the effective permissions on any given document can derive from multiple sources: the document's owner, its direct access control list, inheritance from a containing folder or some other object, default instance permissions on the document class, security templates, and marking sets. In Connections environments, permissions come primarily from Role objects (which are inherited through the containing folder) and through default instance permissions.

    In order to ensure that the effective permissions on documents and all associated content correctly implements the Connections security model, permissions and default instance permissions on classes in the object store must be set before installing the social collaboration addons. Details on the required security settings are in Appendix A. Also, the event handlers and change preprocessors installed with the addons must remain active, as they enforce some of the security constraints.

    The following diagram depicts the data model that implements the Connections security model. It leverages security proxies heavily. Applications set permissions directly via security proxy objects, and those permissions flow down to the business objects that inherit security from the proxies. Permissions on business objects are additive and can be inherited from multiple security parents or proxies.



    Security permissions and existing object stores
    A new object store created for use with community libraries, either using the Connections tooling or configured manually as described in the appendices, will have permissions and default permissions set on the object store and various classes such that objects within community libraries follow the Connections security model.

    Security permissions on a pre-existing object store are unlikely to be configured such that they properly enforce the Connections security model. Modifying these permissions has implications for existing content. That is a primary reason for our recommendation that a new, dedicated object store be used for community libraries. It is, however, possible to reconfigure an existing object store. This section describes the what the various permissions are for so that an administrator can understand the possible effects of changing them and plan accordingly. It may also be of interest those who simply want to understand security on their new Connections object store.

    The first step in configuring security is setting permissions on the object store itself. During object store creation, the administrator specifies one or more LDAP groups as object store administrators and another set as object store basic users. Default instance permissions on the classes defined during object store creation and addon installation are derived from the object store administrator and user permissions. For example, if you grant #AUTHENTICATED-USERS basic access to the object store, then #AUTHENTICATED-USERS will have read access in the default instance permissions on all classes.

    When CPE creates a new document (or any other object type), it applies the default instance permissions of the document class to the new document. If #AUTHENTICATED-USERS is in the DIPs for Document then, by default, all authenticated users will have read access to all versions of all documents. You can retroactively modify object store permissions, for example by replacing #AUTHENTICATED-USERS with an administrator group. This change will affect the default instance permissions for new classes, but not for classes already defined in the object store or instances of those classes.

    In some of the steps outlined below, you will be modifying the security permissions on multiple objects. You can use FileNet Enterprise Manager (FEM) to perform bulk security updates. The web-based Administrative Console for Content Engine (ACCE) currently supports individual updates only. See the FileNet Content Manager info center for detailed instructions.

    The changes described so far will secure documents and folders created by Connections users. However, in order to create and modify objects, users need read and create instance permissions on certain class definitions. Read permissions on a class definition do not imply read permissions on the instances of that class. Create instance permission gives the user permission to create instances of the class, but does not extend permissions to any objects not created and owned by the user.

    If the object store was not originally created with #AUTHENTICATED-USERS or group(s) containing all Connections users as basic users, then it might be necessary to modify class permissions so that Connections users are able to use the classes.

    Some administrators may wish to segregate their taxonomies such that some document classes are not available within Connections. If a community members has read but not create instance rights to a document class, then they will be able to view and work with existing documents of that class. If the community library allows a user to select a document class on upload and the member chooses the class in question, they will encounter an error. If a community member does not have read access to a class, they will be unable to view any document of that class. The presence of such a document in a community library will cause errors when the member attempts to browse the library. Therefore, the administrators in this case must put controls in place such that documents of restricted classes cannot be placed in a community library by any user. Such a configuration is potentially quite complex. It is preferable to use separate object stores.

    There are other types of objects, aside from class definitions, that contain metadata used for Connections. FileNet Collaboration Services must read these objects, on behalf of the authenticated users, in order to report document metadata to Connections. These include choice lists, property template and task relationships. These are created dynamically as the system is used. Therefore, the default instance permissions for these classes should include read permissions (and only read) for all Connections users.

    Any property templates or choice lists that were created before you modified default instance permissions on the metadata classes will have the old permissions and might not be accessible to Connections users. These include property templates and choice lists that came with addons installed earlier. You might, therefore, need to manually set permissions on these objects. It is not necessary to modify permissions on property templates that are only used by non-document classes (Folder, CustomObject, etc.).

    The only task relationship objects that Connections users must use are created only during document approval workflows initiated from Connections. Existing task relationship objects should not have to be modified.

    The following steps and guidelines summarize best practices in configuring security for Connections on an existing object store.

    1) If you modify basic access to the object store, then modify default instance permissions on Folder, Document, and any subclass of Document that might be used within Connections so that only administrators have any access rights. If this is not done then uses might have read access to content that should be forbidden under the Connections security model.

    2) Refer to Appendix A, step 2. Examine permissions on the named classes and confirm that all Connections users have the required read and create instance rights. If this is not done then Connections users might see errors when attempting to upload documents, because Connections is unable to retrieve metadata about the target document type.

    3) Refer to Appendix A, steps 4, 5 and 6. Examine permissions on the named classes and confirm that Connections users have the required read access rights.

    4) Identify all choice lists and property templates that are used in Document classes. Confirm that Connections users have the required read access rights.

    Security IDs: mappings and source attributes

    FileNet Content Manager supports multiple third-party LDAP servers in a variety of configurations. Principals in all systems typically have an invariant, uniquely identifying attribute, or ID. However the attribute used, and its format, varies. In order to normalize persisted data and use a consistent internal ID format, CPE converts LDAP user IDs to the “Security ID” format, or SID. These SIDs are used wherever a principal ID must be persisted in the object store. The SID is derived from the source LDAP attribute. Therefore, the SID that is generated for a given principal depends on both the source LDAP server type and the unique ID attribute from which the SID is derived.

    IBM Connections also persists user IDs. However, it uses other formats: typically, but not always, UUID. Connections always uses VMM as a virtual LDAP provider. The mapping from the ID attribute in the origin LDAP system to UUID is similar to the FileNet mapping to SID, and is done within VMM. When configured for Connections integration, the Connections directory provider performs an additional layer of mapping and, thus, generates a different ID format.

    It is these persisted IDs that necessitate a directory migration for FileNet object stores in order to use the Connections directory provider for the integration with IBM Connections.

    The attribute in the source LDAP directory that is used for IDs in Connections and FileNet is configurable, and the choice of attribute is a critical decision. The attribute must be unique (per user), immutable, and non-reusable. The default, UUID, meets these requirements in a way that is directly enforced by the directory itself. It is a good choice on systems where users are not deleted from and then re-added to the directory. See this topic for more information.

    Because the LDAP directory generates UUIDs uniquely for each user account, a given user cannot be deleted from LDAP and then re-added with the same UUID. For this reason, some customers have a requirement to use a different attribute as primary user ID. IBM Connections and FileNet support this method. However, it is the customer's responsibility to guarantee that the non-default attribute is unique, immutable and non-reusable. An employee ID that is provisioned outside the LDAP directory and that uniquely and permanently identifies each employee is acceptable. A short name or email address is not a good choice as it is very difficult to ensure that a given value will not ever be reused.

    User IDs are used in the FileNet repository for authorization and auditing purposes. A short scenario illustrates why it is critical to use a non-reusable attribute.

    Say a customer deployment has a requirement to delete and re-add users to the LDAP directory, and they choose email address as the primary ID attribute for Connections and FileNet because it is unique and no other usable attribute exists. A user John Smith, with email address “ jsmith@example", has a sensitive role and manages a number of confidential documents in the ECM repository that are under strict access control. John Smith's user ID is persisted on the access control lists of these documents, as well as in the “creator” and “last updater” properties.

    John Smith leaves the organization. The documents, along with the references to the user's ID, stay in the repository for a number of years. It is not unusual for documents in an ECM system to have a lifetime of ten or more years – some organizations even manage documents that are decades old. Thus, some years later, Jerry Smith joins the organization and requests the email address “ jsmith@example”. The request is granted because the email address has not been used in years. Jerry Smith has a need to read personnel orientation documentation that is kept in the ECM system and is given login access.

    The following two security problems now arise.

    John Smith had read and write access to sensitive, confidential documents. Jerry Smith, a new hire, now has the same access because the access control lists reference his ID. This situation allows for a severe breech of data confidentiality and integrity. Since the two different users are represented with the same identifier to FileNet, the system has no way to distinguish the users and sees the two people as the same. Other attributes such as name and phone number may have changed, but changes to those attributes are common and the system does not use them for identifying a user.

    Another user who views metadata on the documents formerly owned by John Smith might see that the documents were created or modified by Jerry Smith. Though less severe than the last, this scenario could still cause user confusion and some degree of trouble if, for example, the documents in question appear in a search for content relevant to litigation.

    The customer in this scenario would be much better advised to find or even create a new attribute in the LDAP system or to modify user provisioning procedures such that delete and re-add are not necessary and UUID can be used as primary ID in Connections and FileNet.

    System and administrative user accounts

    When planning a deployment, identify the user accounts that will be used for various system interactions and administrative roles. This topic covers those roles and accounts that are directly used in the integration between Connections and CPE. See the respective product documentation for details on other roles and accounts. In order to simplify configuration, a single system account can be used for multiple roles if allowed by corporate policies.

    • Connections administrator. The Connections administrator, or administrative group, typically but not necessarily has administrative privileges on the FileNet object store(s) used for Connections. Note that this role is reflected in a Connections enabled object store as the "Global Administrator Role".

    • FileNet object store administrator. Users or groups with administrative (full control) privileges on the object store(s) used for Connections. Can include Connections administrators.

    • FNCS lifecycle system user. A system user account used by the Connections server in background lifecycle calls that provision and modify libraries. Must have “create subfolder” rights on the “/ClbTeamspaces” folder. Administrative privileges are not required. Configured as a J2C role ("filenetAdmin") on the Connections server.

    • Activity stream system user. A system user account used by CPE to authenticate to the Connections server in order to push events on ECM content into the Connections activity stream. Configured in the CPE CollaborationConfiguration object and within Connections.

    • Search index user. A system user account used by Connections to index ECM content via FNCS. Configured as a role on the Connections WebSphere server, as with the activity stream user. Also configured in the CPE ClbCollaborationConfiguration object so that content downloads for search indexing purposes are not counted. Must have read access to all community content in the object store. Uses the same J2C role as the lifecycle system user, so it is effectively the same account.

    • Anonymous user. A system user account used by FNCS for to enable access to CPE by users who are not logged into Connections. Configured as a role on the FNCS WebSphere server. Also configured in the CPE ClbCollaborationConfiguration object so that anonymous downloads are correctly accounted for. No particular access rights are required, and none should be granted.

    • Global review administrators. A set of users and groups who have document review privileges across all community content. Configured on the CPE ClbGlobalReviewAdministrators object. This is optional. However, without it, only object store administrators will have global review privileges.

    • Activity stream ignored users. A set of user accounts that will be ignored by the activity stream generator. The setting is optional and typically contains system accounts used by bulk update and migration tooling such as the Quickr Domino migration tool.

    Repository-level special security roles

    In a FileNet object store, administrators are specified at the level of object store. Basic users, who have general read access and the ability to create documents and folders, can also be configured on the object store. However, as described elsewhere in this document, there should be no basic users on an object store used for Connections community libraries.
    It is useful to be able to provide a certain level of administrative access to other users across Connections content. These users are not ECM repository administrators; they are administrators of the Connections content. Two special role objects in FileNet provide this capability. They are described briefly in the previous section. Here, we elaborate.

    Global administrators have full control -- read, write, delete and access control -- over all community libraries and their content, regardless of membership. They do not have any privileged level of access to content outside of community libraries. It is a useful best practice to identify or create one or more directory groups to represent Connections content administrators and configure them as global administrators in the object store. Use FEM or ACCE to search for the single canonical instance of ClbGlobalAdministrator and give the groups appropriate access. Typically this will be the "full control" access level. Choose the scope "this object and all children" if you want global administrators to be able to edit the role itself, for example to provision other global administrators. Choose "all children, but not this object" if you do not want global administrators to be able to modify the global administrator role and create or remove other administrators.

    Global review administrators are similar to global administrators but their administrative rights are restricted to document review and approval. It may be useful to identify and provision group of users who have the ability to approve or reject content in any community library, regardless of community membership. Follow the same procedure as described above for provisioning global administrators. The role class in this case is "ClbGlobalReviewAdministrator".

    Community library security and other applications
    Community library security for Connections is compatible with other ECM applications. The CPE repository itself enforces all security; it is not possible to bypass security set for or through Connections by using a different ECM client, and vice versa. However, it is not always possible to view or manage security set in one ECM client application from another client application.

    See security permissions for a description of the data model that implements Connections security. CPE itself enforces all security permissions. It is not possible for another client application to bypass the security model, nor is it possible for a user to modify security unless they have appropriate permissions on the object in question ("modify permissions" is a distinct permission bit; write access does not imply the ability to modify security).

    The effective security permissions on a business object in FileNet are additive. That is, CPE computes access rights for a given user by taking the union of all permissions derived or inherited from all sources. In the event of a conflict where an allow ACE and a deny ACE both apply to the user, the deny ACE takes precedence. If the ACEs are at different levels, with one ACE set directly on the object and the other inherited, the direct ACE takes precedence.

    Content Navigator also uses security proxies to enforce a similar, role-based security model on teamspaces. By default, when a Content Navigator user adds a document to a teamspace, the document inherits security from the teamspace (just as in a community library teamspace). However, if a user overrides security on a document using Content Navigator, the new security is set directly on the document.

    It is possible to view, but not modify, access rights set within the Connections security model from objects Content Navigator. The Content Navigator user can override Connections security by setting permissions directly on a business object. For example, using Content Navigator, you can modify a document's security to deny access to a community member. This method might be necessary in certain situations to comply with corporate security guidelines, but in general is not recommended as it can interfere with document library functions in Connections. It is better to segregate restricted content into another teamspace or folder.

    It is not currently possible to view security set from Content Navigator from Connections. That is, on a document in a linked library that is managed from Content Navigator, the Connections sharing dialog will show no members. This indicates that security is managed from Content Navigator.

    Managing object stores

    Deployment or configuration of object stores for an IBM Connections integration and the provisioning and segregation of content and users across them is a critical planning element.

    Types of libraries

    A "library" is a top-level container for collaborative content within a repository. Three types of libraries exist, and they are referred to in different ways depending on the context. This section defines the terms.

    • Teamspace: the collaborative workspace paradigm used within ICN. Teamspaces provide the common repository data model used by both ICN and Connections. Therefore, the terms "teamspace" and "library" are synonymous.

    • Community library: a library created by and for a Connections community. Security and structure within a community library follows the Connections model described elsewhere in this document. However, under the covers the community library is a teamspace and can be used in ICN.

    • Linked library: a library that is linked into a Connections community but created elsewhere, rather than created specially for the community. Prior to Connections 4.5 / FileNet Content Manager 5.2, linked libraries were the only model supported. ICN teamspaces can be used in communities as linked libraries. A community library can also be linked into another community.

    • Legacy (FNQS) library: a library created for FNQS 1.1 or earlier. These libraries predate teamspaces and use a different data model.

    Provisioning new object stores for IBM Connections community libraries

    It is recommended that a new, dedicated object store be provisioned to host community libraries, and that content in existing object stores be managed in Connections using the “linked library” feature.

    Prerequisites:

    1. The P8 domain is using the Connections provider as its directory service configuration. As mentioned above, a directory migration procedure may be necessary to migrate existing domains and object stores into this configuration.

    The steps to configure an object store for Connections use are given below. Note that the Connections configuration tool performs these steps. The Connections tool can be used to provision new object stores on existing P8 domains (subject to the directory provider prerequisite). It is not typically necessary to perform these steps manually for new object stores.

    1. Create a new object store in the host domain.

    2. Important: As discussed in step one of the instructions in Appendix A, set a global Connections administrators group at the object store administrators prompt. Set the same group at the object store users prompt – do not allow the creation to proceed with an empty list or it will apply the default of #AUTHENTICATED_USERS (a special CPE principal indicating all authenticated users). The Connections security model requires that #AUTHENTICATED_USERS not have default access to any object store content.

    3. Important: Install only the base Content Platform Engine addon – do not install any social collaboration addons (you will do this later).

    4. Define permissions and default instance permissions on classes in the object store as described in Appendix A.

    5. Install the required AddOns as described in Appendix B.

    6. Configure the activity stream and social collaboration addons by editing properties on the SocialCollaborationConfiguration objects

    7. If necessary, grant appropriate access for system users to the “/ClbTeamspaces” folder

    The new object store is now ready for use. Create one more teamspaces using IBM Content Navigator, or configure FNCS to use the new object store as its default and create community libraries in IBM Connections.

    The Connections tooling currently uses hard-coded names for the P8 domain and object store (ICDomain and ICObjectStore). These can be changed immediately after creation using Administrative Console for Content Engine (ACCE) or FileNet Enterprise Manager (FEM) without ill effect.

    Using existing object stores for community libraries

    It is recommended that a new, dedicated object store be provisioned to host community libraries. Other ECM client applications, such as IBM Content Navigator, can then share and manage content on the object store.

    However, it is possible to add community libraries to an existing object store. This configuration is recommended only for small deployments.

    Configuring an object store for community libraries requires modifying default instance permissions on various classes before installing the social collaboration addons, as noted above. Other FileNet client applications may be affected by the permissions changes.

    Prerequisites:
    1. The P8 domain and object stores have been migrated to the Connections directory provider.

    Steps:
    1. If necessary, grant full control rights on the object store to any new administrator groups such as Connections administrators.

    2. Define permissions and default instance permissions on classes in the object store as described in Appendix A. Important: do this before installing any new addons. This step is discussed in more detail later in this section.

    3. Install the required AddOns as discussed in Appendix B.

    4. Configure the activity stream and social collaboration addons by editing properties on the SocialCollaborationConfiguration objects

    5. If necessary, grant appropriate access for system users to the “/ClbTeamspaces” folder

    6. The object store is now ready for use. Configure FNCS to use the object store as its default and create community libraries with IBM Connections.

    Modifying default instance permissions, object store permissions or permissions on metadata has broad implications and can affect the function of other applications using the object store.

    Options without a directory migration

    As noted elsewhere, the Connections directory provider is required for key social features including automated provisioning of community libraries, sharing, activity streams and document approval. A directory migration is strongly recommended, in order to support these features.

    However, it possible to expose significant functionality using only linked library mode without the Connections/VMM provider. With this model, libraries (teamspaces) are provisioned in IBM Content Navigator and separately linked into Connections communities. Membership between the teamspace and the community must be synchronized manually. Members added to a community will not automatically get access to the libraries linked into the community and members removed from the community may still have access to the linked library content. One option is to use LDAP groups for teamspace and community membership – an LDAP group is provisioned and populated, then added as a member to both the community (in Connections) and teamspace (in ICN). Then, the addition or removal of individual users requires only a single change in LDAP. This model may work well for large or long-running collaborative environments.

    Sharing, activity streams , document approval and community search results will not be available outside community libraries. Tagging, comments, recommendations, download counts and library search will be available, as will all functionality provided by IBM Content Navigator.

    Note that the way in which permissions are edited through the Connections user interface differs from how this is done from IBM Content Navigator. Permissions created in either environment will be enforced by Content Engine, but Connections users will not be able to view and edit Navigator defined permissions, and vice versa. For this reason, it is recommended to only use one of these environments for the purpose of editing permissions.

    Moving object stores between domains

    As stated elsewhere, the recommended model for large deployments is a new, dedicated P8 domain for Connections communities. One or more object stores are then contained within this domain, which uses the Connections directory provider integration from the beginning.

    In the future, it may be desirable to move content from the Connections domain into the original P8 domain, or into a new domain. IBM FileNet Content Manager has support for moving object stores between domains. See the info center deployment topics for more information. It is important to note that when moving an object store, the source and original target domains must have the same directory server configuration. Thus, a directory migration on one or the other might be necessary. Other restrictions may also apply. Please refer to the FileNet Content Manager InfoCenter section on Reassigning an object store for more details.

    Existing content, teamspaces and social features

    Most social features, including comments, tags, recommendations and download counts, are available on all FileNet documents regardless of location. IBM Connections only manages content stored in libraries (teamspaces). However, as these social features are implemented in IBM Content Navigator, they will generally be available on all content.

    Certain social features are tied to IBM Connections and the community security model. These features, including document approval and activity streams, are not available outside the context of a Connections community library.

    IBM FileNet Collaboration Services, previously called IBM FileNet Services for Lotus Quickr (FNQS), provided integration with Lotus Quickr and IBM Connections 3.0.1 using a different library data model (QuickrLibrary). FileNet Collaboration Services 2.0 supports existing libraries created for IBM FileNet Services for Lotus Quickr 1.0 or 1.1 at the 1.1 level of functionality. Existing libraries using the QuickrLibrary data model must be migrated to teamspaces to expose new functionality within Connections. Currently, this migration must use the copy process outlined below. After migration, the library will have to be re-added to any desktop connector or linked libraries configurations as its ID will have changed. A future might include tooling to remove this constraint.

    Since IBM Connections only manages content within a library, existing content that is not in a library must be migrated into a library (teamspace) before use within Connections.

    CPE restricts moving folders into teamspaces and changing the class of a folder to a teamspace in order to maintain referential integrity. Currently, migrating content to a teamspace is a manual process:

    1. Create a new teamspace using ICN or Connections

    2. If necessary, modify security or membership on the teamspace using ICN

    3. Use ICN, ACCE or FEM to copy all content from the source folder into the teamspace

    A future release of FNCS or ICN might include tooling to support this migration.

    The following table specifies the features that are available in different library scenarios. Note that as of this writing no client supports the use of social features outside the context of a library. In future releases ECM clients might support this functionality. Custom clients are another option.

    Community
    Library
    Linked Lib, Connections LDAP
    Linked Lib, no Connections LDAP
    FNQS 1.1 lib
    Not in lib
    Comments
    Y Y Y N Y
    Tags
    Y Y Y N Y
    Download records
    Y Y Y N Y
    Likes
    Y Y Y N Y
    Integrated search
    Y N N N N
    ECM search
    Y (not used) Y Y Y N
    Sharing
    Y Y N N ?
    Trash bin
    Y Y Y N ?
    Activity stream
    Y Y N N ?
    Doc approval
    Y N N N N
    FNQS 1.1 features
    Y Y Y Y N

    Note that you can create a library in some community, A, and link it into another community, B. In this case, the library content is searchable from both communities. Document approval and sharing are available. The original community, A, controls security on the library. Members of community B might be directed back to community A to perform certain tasks, such as sharing.

    Migrating content from external repositories

    In general, bulk migration of content from an external repository into a FileNet object store is typically done using administrative tooling such as the P8 bulk loader. Custom tooling or lab services engagements are often desirable for large or complex migrations.

    The migration of content into a teamspace and its subsequent exposure as an IBM Connections library or linked library poses no special requirements. Customers may have specific needs depending on the structure of the original data and the taxonomy and storage organization of the FileNet system. For Quickr Domino customers, a dedicated migration tool that maintains the structure of the source Quickr Places to the greatest extent possible will be available shortly.

    In general, the procedure is:

    1. Set up the target FileNet domain and object store for Connections integration as described elsewhere in this document

    2. Create one or more teamspaces. Use IBM Connections to create a new, empty community library. Alternatively, use IBM Content Navigator to create a new, empty general-purpose teamspace that can be linked into a Connections community.

    3. Use tooling to import documents and folders into the new teamspace(s). This tooling can use the native FileNet APIs, IBM FileNet CMIS, or IBM FileNet Collaboration Services.

    4. It is strongly recommended that document review not be enabled in the teamspace until after migration is complete. It serves no purpose in the migration use case and will create a very large backlog of approval tasks.

    5. If activity stream integration is enabled, use an “ignored” administrative user to perform the import. This will suppress event notifications for migrated content. See activity stream configuration in the IBM FileNet Content Manager Info Center for details.

    Operational planning for additional new features

    Several new features released in IBM FileNet Content Manager 5.2 require special consideration and planning for deployment and maintenance.

    Activity stream and event updates

    The IBM Connections activity stream, or updates page, is a powerful feature that provides users with a targeted time- and context-sensitive view of events across all of their Connections content. As of Connections 4.5 and IBM FileNet Content Manager 5.2, the activity stream includes events on ECM library content. CPE “pushes” event data directly to the IBM Connections server using a REST (HTTP) service interface. This push inverts the usual relationship. Instead of acting as a REST client, via FileNet Collaboration Services, Connections acts as the server and CPE is the client application. This connection can require special planning or network changes in some environments.

    Content Download Assistance

    IBM FileNet Collaboration Services 2.0 provides content download assistance, an optional service that leverages IBM HTTP Server (IHS) to cache and serve up document content. This feature can be an important component of large deployments, particularly those where many concurrent downloads of large files, such as streaming media, are a concern.
    Content download assistance requires that IHS serve as the front-end proxy for all FNCS requests (a common configuration, content download assistance aside). FNCS and IHS must both have access to a network file share for cached file content. Content caching outside the control of CPE has security implications – for example, cached content is not encrypted even if the source is an encrypted storage area – and should be considered carefully.

    Anonymous access

    In order to support content for public Connections communities, FNCS 2.0 supports anonymous access to ECM content. That is, users who are not logged into Connections or FileNet can have read access to community library content for public communities. This feature has security implications and is disabled by default.
    CPE itself does not allow any anonymous access. The feature is enabled within FNCS using J2EE security role, configured in WebSphere Application Server. The role references a system-type account in the LDAP server. For “anonymous” URLs, FNCS will access CPE using the credentials of that user. FNCS applies very strict authorization to all resources accessed anonymously – regardless of the security privileges of the “anonymous” user account in the FileNet repository, read-only access to public community library content is the only type of operation permitted.
    An additional post-install step is required to configure the FileNet object store to correctly count downloads by anonymous users.

    Integrating Other ECM Applications

    An enterprise ECM deployment typically includes multiple dedicated ECM applications, including end-user clients such as Content Navigator, business servers such as Infosphere Enterprise Records and integrations with other services such as IBM Content Collector (ICC) or IBM Content Analytics (ICA). A CPE instance deployed using the CCM tooling is a fully functional server capable of supporting all entitled ECM applications. Similarly, a domain or object store created for Connections will support other ECM applications. However, some additional configuration might be necessary on an object store that was created for Connections use.
    This section describes some of the ECM applications that might be added to a CCM or CECE system and the changes necessary to integrate them with a CCM-type object store.

    IBM Content Navigator

    A single ICN instance can be configured to work with multiple repositories of different types. Each repository has a configuration where you specify the repository type (for example, FileNet Content Manager), connectivity information and repository-specific information such as the object store for FileNet.

    An object store created for community libraries, especially one created using the CCM tooling, differs from a typical object store in that it has only those addons required for teamspaces and social collaboration. It may not have all of the addons that Content Navigator requires. Therefore, use ACCE or FEM to install addons required by Content Navigator before adding the repository configuration. Required addons are:


    • P8 5.2.0 Base Application Extensions

    • P8 5.2.0 Stored Search Extensions

    • P8 5.2.0 Workplace Base Extensions

    • P8 5.2.0 Workplace Access Roles Extensions

    • P8 5.2.0 Workplace Forms Extensions


    • Once required addons are installed, you can configure the repository in Content Navigator. The teamspaces feature should be enabled. Browse can be enabled, if you wish to allow users to browse the repository outside the context of teamspaces (the /ClbTeamspaces folder that contains all teamspaces is, by default, hidden and cannot be browsed). Search and workflow will typically not have been enabled on the object store, and will not be available in the Content Navigator repository until configured on the object store itself.

      An object store with security configured as required for Connections will not, by default, allow anyone other than object store administrators to create teamspaces. Connections initiates creation of community teamspaces using a preconfigured administrative account. Content Navigator, however, creates teamspaces under the credentials of the current user. It is a good practice to create or identify an LDAP group containing users who have rights to create teamspaces, and then grant that group "create subfolder" rights on /ClbTeamspaces using ACCE or FEM. After that, no manual permissions management on teamspaces is required. Content Navigator manages permissions based on teamspace membership and roles.

      The default security configuration for Connections will also not allow non-administrative users to browse or create content in any location other than a teamspace of which they are a member. This security level is appropriate for a Content Navigator desktop that does not include the "browse" feature. If "browse" is enabled, then you must grant users some level of access outside of teamspaces. The following guidelines should help.

      • Identify or create a group of users who should have basic browse access to extra-teamspace content. You can use #AUTHENTICATED_USERS (all users), but if you do then exercise caution in the remaining procedure.

      • Edit security permissions on the object store root folder and add "view properties" access for the user group. Choose "this object only" as the permissions scope; do not use "all children" as this might grant users and inappropriate level of access to restricted teamspace content or restricted folders that you create later.

      • Create one or more top-level folders for end users. For each, identify or create one or more user groups and add appropriate permissions to each on at the folder level. Here, it is safe to use the scope "this object all children" because the inherited permissions will only apply to content that users create in the new folder.

      • Do not modify security on /ClbTeamspaces (except as described above to allow teamspace creation)


      • Users access Content Navigator through a desktop, with a desktop being targeted toward a specific set of users. Within each desktop you configure one or more repositories. The repositories can be of different types. For example, you can configure a desktop to include, as repositories, three object stores from a single FileNet domain or two object stores from different FileNet domains and a third-party repository (using the CMIS connector).

        It is a good practice to create a new, dedicated desktop for use alongside Connections. The desktop should include the community library object store as a repository, and use that repository for authentication. The latter step helps simplify single sign-on configuration with Connections. The desktop can be customized to match the look and feel of the Connections deployment for a seamless user experience.

        For detailed instructions on configuring desktops and repositories, see the IBM Content Navigator info center.

        WorkplaceXT and Application Engine

        IBM Content Navigator is now the preferred end user client application for ECM. However, WorkplaceXT is, as of this writing, still required to perform certain administrative tasks such as building stored searches or designing workflows. FileNet Application Engine (AE), also known as Workplace, is the precursor to WorkplaceXT. This section applies to both components.

        Required AddOns for WorkplaceXT and AE are:

        • P8 5.2.0 Base Application Extensions

        • P8 5.2.0 Stored Search Extensions

        • P8 5.2.0 Publishing Extensions

        • P8 5.2.0 Workplace Base Extensions

        • P8 5.2.0 Workplace Template Extensions

        • P8 5.2.0 Workplace XT Extensions

        • P8 5.2.0 Workplace Access Roles Extensions

        • P8 5.2.0 Workplace Forms Extensions

        • P8 5.2.0 Workplace Email Extensions



        • Install these addons using FEM or ACCE before attempting to view the object store in WorkplaceXT or AE.

          In many deployments WorkplaceXT or AE will only be used by administrators (to design workflows, etc.). Content Navigator is a better choice for end users. If WorkplaceXT or AE is to be used by end users, then you must modify security to allow browse access as described in the Content Navigator section.

          WorkplaceXT and AE must be configured with a default object store, which holds the main site preferences configuration file along with preferences for individual users. It is a good practice to use a separate object store for this purpose, rather than the community library object store. This separation makes it easier to configure security on both object stores and helps to isolate dependencies between WorkplaceXT/AE and Connections. However, it is possible to use the community libraries object store as the WorkplaceXT/AE default. In this configuration, it will probably be necessary to modify security on the site preferences folder or on the site preferences document class so that end users have appropriate access to configuration data.

          Infosphere Enterprise Records

          Infosphere Enterprise Records (IER) can use a object store created for community libraries as a records object store (ROS) so that community content, along with other content in the object store, can be brought under records management. The file plan object store (FPOS) must be a separate object store, as is always required for IER.

          IER requires the same set of object store addons as Workplace XT. If all required addons are not present, then records declaration will not function in Content Navigator or WorkplaceXT/AE. Once all required addons are installed, both Content Navigator and WorkplaceXT/AE require some additional configuration to support records declaration.

          In WorkplaceXT/AE, log in as an administrator and enable records declaration in the main application site preferences. See the WorkplaceXT info center for details.

          In Content Navigator, enable records declaration on the repository configuration for the ROS. The desktop must include both ROS and FPOS, even if end users do not directly use the FPOS. The CPE connectivity parameters for the ROS and FPOS must use the same URL for the CPE server. If the URLs do not match, then even if they are correct and functional then records declaration might not be available from Content Navigator. See the Content Navigator info center for details.

          When performing records declaration on content within a community library, be sure to enable "partial proxy" security so that the Connections security model is preserved. Note that records declaration can still affect access rights. See the IER info center or this technote for more information. Also be certain to enable postfiltering for Connections search so that content that has been restricted by IER is not exposed in search results to users who should not see it.

          Other considerations

          A few additional features and constraints apply and will be of interest when planning new or enhanced deployments.

          CPE as a Connections client

          Previous sections on the LDAP directory provider and activity stream describe how the CPE server must now connect to the IBM Connections server as a client. This inversion of the typical topology has two important implications.

          First, the CPE server must be able to initiate and maintain HTTP connections to the IBM Connections server. Network configuration changes, such as firewall rules, might be necessary in some N-tiered networks in order to allow these connections.

          Second, IBM Connections now serves as a necessary and critical piece of the ECM system infrastructure: the LDAP directory provider. If CPE cannot retrieve community membership information from Connections then it cannot perform authorization on access requests to any ECM content within that domain that uses Connections as its directory provider. Therefore, fault tolerance and failover capabilities for the Connections server are important in maintaining available of the ECM system and scheduled maintenance activities must be carefully planned and coordinated.

          At present, there is no way to use the Connections directory provider without introducing this dependency. Customers who plan to have ECM content used primarily outside of Connections, or ECM components that they do not wish to have any dependency on Connections, might consider using two FileNet domains: one for Connections community libraries, depending on Connections, on one for all other content with no dependency on Connections. Content in the latter domain could still be managed in Connections using the linked library feature. A similar architecture is recommended elsewhere for customers who wish to avoid a directory migration of existing FileNet content.

          Application servers

          IBM Connections and community libraries integration with VMM require the use of IBM WebSphere as the application server.

          In an existing WebSphere-based FileNet deployment, an upgrade to a WAS version supported by both IBM Connections and FileNet Content Manager 5.2 might be required.

          At present IBM FileNet Collaboration Services only supports WebSphere, and must run on the same application server as CPE to enable EJB communication. Therefore, WebSphere is a requirement for the FileNet deployment.

          For existing WebLogic-or Jboss based FileNet deployments, options are a migration to WebSphere or the use of a new, dedicated, WebSphere-based FileNet domain for Connections (dedicated domain is recommended for other reasons, as discussed below).

          Within a WebSphere environment, it is recommended that IBM Connections be deployed within the same cell as IBM FileNet.

          Previous FileNet Content Manager versions

          IBM FileNet Content Manager 4.5.1, 5.0 and 5.1 support integration with IBM Connections via the linked library community component. With these versions, end users can create, edit, and version document content and metadata, create and manage folders and search for content. However, the new social features, activity stream, sharing, document approval and integration community search all rely on crucial enhancements that were built into FileNet Content Manager 5.2. These features will not be available until FileNet Content Manager has been upgraded to 5.2. Then, social features will be available in the types of libraries that support them as described in the table above.

          ECM client application integration

          The IBM Connections document library can expose links to document content and metadata in other ECM client applications. To enable this feature, configure UI integration URLs in IBM FileNet Collaboration Services. By default, FNCS generates URLs for IBM Content Navigator. However, it can be configured to generate URLs for Workplace, WorkplaceXT or custom client applications.

          The CCM installer

          The Connections Content Manager product includes IBM FileNet Content Manager and comes with an installer that can automatically configure several requirements of the Connections integration, such as the Connections directory provider. Customers who have other ECM entitlement (CECE, existing standalone FileNet, etc.) can use the CCM installer and may find it to be an attractive option, particularly for a new, dedicated FileNet domain. Other ECM component such as IBM Content Navigator or IBM Enterprise Records can then be installed or configured to work with the new FileNet Content Manager server.

          The CCM installer is adaptable to clustered environments. It contains hard-coded names for the FileNet domains and object stores it creates, but these can be changed after creation use FileNet administrative tools.

          Deployment recommendations

          The following deployment pattern captures IBM's recommendations and allows full use of social features and Communities integration with minimal affect on existing content.

          1. Create a new domain for Connections community content. Use the Connections directory provider for this domain. Use the default LDAP attribute, UUID, as the primary ID attribute or select a suitable unique, non-reusable alternative.

          2. Within the new domain, create a new object store for community libraries. Use the Connections configuration tool to create this object store so that permissions are set up correctly, and all necessary AddOns are installed.

          3. Install teamspaces and social collaboration addons on additional object stores in the original domain to use with IBM Content Navigator and Connections linked libraries.

          4. In the long term, migrate the original domain to the Connections directory provider. At that time, the communities object store can be moved to the original domain.


          Appendices

          Appendix A: Creating object stores

          The process for creating an Object store consists of several steps. This appendix details the steps required to correctly configure security:
          1. Create the object store, specifying the Connections Global Administrator group as the principal for the object store Administrators, and specifying the same Connections Global Administrator group as the principal for General Object Store users.
          2. Edit the permissions on the Object Store object, granting “Use Object Store” level permission to the #AUTHENTICATED-USERS principal. Set InheritableDepth=0 (or, if performing these steps manually via FEM / ACCE, choose “This object only” in the Apply To dropdown).
          3. Update the permissions on the Class Definitions for the business object classes that must be created at runtime by Connections users. The #AUTHENTICATED-USERS principal should be granted the following permissions on each of these classes: View all properties, CreateInstance.
          These permissions should be set to inherit to all subclasses (InheritableDepth=-1 or”This object and all children” in the Apply To dropdown, if performing these steps manually via FEM / ACCE). When using the FileNet Enterprise Manager (FEM) tool, this is done by editing the values in the Security tab for these classes. They should be added to the following list of classes before AddOns are installed:

            ◦ Document
            ◦ Folder
            ◦ Custom Object
            ◦ Referential Containment Relationship
            ◦ Dynamic Referential Containment Relationship
            ◦ Abstract Persistable
            ◦ Abstract Queue Entry
            ◦ Choice List
            ◦ Recovery Bin
            ◦ Recovery Item
            ◦ Task

          4. Set Default Instance Permissions on the Choice List class to grant #AUTHENTICATED-USERS the View all properties right on Choice List instances. These permissions should be set to inherit to all subclasses (InheritableDepth=-1 or”This object and all children” in the Apply To dropdown, if performing these steps manually via FEM / ACCE).
          5. Set Default Instance Permissions on the Task Relationship class to grant #AUTHENTICATED-USERS the View all properties right on Task Relationship instances. These permissions should be set to inherit to all subclasses (InheritableDepth=-1 or”This object and all children” in the Apply To dropdown, if performing these steps manually via FEM / ACCE).
          6. Set Default Instance Permissions on the system Property Template classes for each of the eight Content Engine data types to grant #AUTHENTICATED-USERS the View all properties right on PropertyTemplates that are created by AddOns. These permissions should be set to inherit to all subclasses (InheritableDepth=-1 or ”This object and all children” in the Apply To dropdown, if performing these steps manually via FEM / ACCE). The classes that must be modified are:
            • PropertyTemplateBinary
            • PropertyTemplateBoolean
            • PropertyTemplateDateTime
            • PropertyTemplateFloat64
            • PropertyTemplateId
            • PropertyTemplateInteger32
            • PropertyTemplateObject
            • PropertyTemplateString


          Appendix B: Required AddOns

          Each of the following AddOns must be installed in an object store enabled for IBM Connections:
            • 5.2.0 Base Content Engine Extensions
            • 5.2.0 Base Application Extensions
            • 5.2.0 Teamspace Extensions
            • 5.2.0 Custom Role Extensions
            • 5.2.0 Social Collaboration Role Extensions
            • 5.2.0 Social Collaboration Base Extensions
            • 5.2.0 Social Collaboration Notification Extensions
            • 5.2.0 Social Collaboration Search Indexing Extensions
            • 5.2.0 Social Collaboration Document Review Extensions
            • 5.2.0 Social Collaboration User Identity Extensions


          Appendix C: Other Resources

          ◦ IBM FileNet P8 5.2 Info Center: http://pic.dhe.ibm.com/infocenter/p8docs/v5r2m0/index.jsp
          ◦ IBM FileNet Collaboration Services Info Center: http://pic.dhe.ibm.com/infocenter/p8docs/v5r2m0/topic/com.ibm.installingp8qkr.doc/qkrpi001.htm
          ◦ IBM Connections 4.5 Documentation: http://www-10.lotus.com/ldd/lcwiki.nsf/xpViewCategories.xsp?lookupName=IBM%20Connections%204.5%20Documentation

          Original publication date

          2013/8/22

          Cross reference information
          Segment Product Component Platform Version Edition
          Organizational Productivity- Portals & Collaboration Content Manager Collaboration Edition
          Organizational Productivity- Portals & Collaboration IBM Connections Content Manager 4.5
          Organizational Productivity- Portals & Collaboration Lotus Quickr Connectors ECM
          Enterprise Content Management Content Manager Services for Lotus Quickr
          Enterprise Content Management FileNet Services for Lotus Quickr

          Rate this page:

          (0 users)Average rating

          Document information


          More support for:

          FileNet Content Manager
          Collaboration Services

          Software version:

          5.2.0

          Operating system(s):

          AIX, HP-UX, Linux, Solaris, Windows

          Reference #:

          7039012

          Modified date:

          2014-06-12

          Translate my page

          Machine Translation

          Content navigation